AWS Developer Tools Blog

AWS CLI v2 Preview Now Supports AWS Single Sign-On

We are excited to announce that the AWS CLI v2 preview now supports direct integration with AWS Single Sign-On (SSO). You can now create CLI profiles that are linked to SSO accounts and roles. The CLI will automatically retrieve AWS credentials from SSO and refresh them on your behalf. There are new commands to help manage the CLI SSO profiles. This eliminates the need to copy and paste temporary AWS credentials from the AWS SSO console.

To get started you need to:

Install AWS CLI v2 Preview

Instructions to install the AWS CLI v2 preview are available in this blog post.

Configure an SSO Profile

After installation, you need to use the aws2 configure sso command. The new SSO profile will be saved to the AWS shared configuration file. This is similar to the aws configure command. During this command, you will be prompted to login into your SSO directory with a web browser.

$ aws2 configure sso
SSO start URL [None]: https://d-0123456790.awsapps.com/start
SSO Region [None]: us-east-1
Attempting to automatically open the SSO authorization page in your default
browser. If the browser does not open or you wish to use a different device to
authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

ABCD-EFGH
Successully logged into Start URL: https://d-1234567890.awsapps.com/start
There are 2 AWS accounts available to you.
Using the account ID 123456789012
There are 2 roles available to you.
Using the role name "readOnly"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [readOnly-123456789012]: my-sso-profile

Using an SSO Profile

Using an SSO profile is the same as any other AWS CLI profile. You can specify the SSO profile name using --profile on the command line, or export the AWS_DEFAULT_PROFILE environment variable with your SSO profile name.

aws2 s3 ls --profile my-sso-profile

The CLI will automatically fetch and refresh AWS credentials for your SSO profile. You can validate your SSO profile using aws2 sts get-caller-identity with your SSO profile.

$ aws2 sts get-caller-identity --profile my-sso-profile
{
    "UserId": "ABCD5FTR123ABCDEFGH12:test@example.com",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/rolename/test@example.com"
}

The SSO profile will eventually expire. When the profile expires you can run the aws2 sso login command to refresh the session.

$ aws2 sso login --profile my-sso-profile
Attempting to automatically open the SSO authorization page in your default
browser. If the browser does not open or you wish to use a different device to
authorize this request, open the following URL:

https://device.sso.us-west-2.amazonaws.com/

Then enter the code:

ABCD-EFGH
Successully logged into Start URL: https://d-1234567890.awsapps.com/start

At the end of the work day you can clear all temporary AWS credentials and SSO profile sessions by running aws2 sso logout.

Check the AWS CLI user guide for detailed explanations of all the new commands and configurations.

The AWS CLI v2 is still in developer preview and we’re looking for feedback to improve new features such as this one. To track development of the AWS CLI v2 or provide feedback, reach out to us on our GitHub repository.